Microsoft Launches 'HealthVault' Records-Storage Site

At a gathering of healthcare providers in Washington D.C on Thursday morning, Microsoft is expected to launch HealthVault, an online repository where users can store health-related information, like their medical records, for free.

At a gathering of healthcare providers in Washington D.C on Thursday morning, Microsoft is expected to launch HealthVault, an online repository where users can store health-related information.

As the name suggests, the HealthVault site is designed to be an online, encrypted vault, where U.S. users can store and manage their health records without paying a fee. The site will also serve as a repository for health-related articles and other information, Microsoft said.

HealthVault will also allow users to upload data from a small number of HealthVault-compatible devices, and allow users to send, receive and store their own medical records and information from doctors and healthcare providers. The information that could be stored in the vault includes data from fitness-related and health activities, according to Microsoft. Examples include aerobic sessions, measurements such as blood glucose and blood pressure, discharge summaries from hospitalizations, lab results, medications, and health history.

Microsoft's effort also won an endorsement from the Patient Privacy Rights Foundation, which praised Microsoft's privacy policy, which allows users to control which information they provide to other services through an opt-in program. In its privacy page, Microsoft says "We do not use your health information for commercial purposes unless we ask and you clearly tell us we may."

The site will operate in conjunction with the improvements to Windows Live Search, especially the heath-specific search engine that Microsoft debuted last week. The HealthVault site went live briefly on Wednesday, before Microsoft restricted the site to the health-related search engine.

The question, however, is what legal liability Microsoft will end up accepting as the operator of the HealthVault site. Furthermore, it is unclear what role the site will play inside the chain of agencies covered by the Health Insurance Portability and Accountability Act (HIPAA), which was enacted in 1996 and governs the transmission of confidential healthcare information. HIPAA covers "health plans, health care clearinghouses, and to any health care provider who transmits health information in electronic form in connection with transactions for which the Secretary of HHS has adopted standards under HIPAA," according to the act. It also covers "business associates" in certain cases, which includes "specified written safeguards" as data passes from one entity to another.

Reached before the official launch, a Microsoft spokeswoman said that the HealthVault site was covered by "HIPAA considerations," but she did not know the extent.

Microsoft: security is a top concern

Users can be granted access to other records, and manage them, as in the case of a sick mother's records managed by her son. Users have different levels of access privileges, with the highest being "custodial" access, with free privileges to add, modify or delete data, as well as grant or deny others access. The second tier is a "view-and-modify" access, and there is a time-limited, view-only access tier as well.

However, the site has made extra efforts to boost security. In some cases, users will be required to increase the complexity of their password until Microsoft's algorithms classify it as a "strong" password, based upon a PC Magazine examination of the site. (The definition of "strong"appears to include a password with a minimum number of characters, numbers, and some capitalization or special characters.)

Searches for medical information aren't identified by person or username, although logs of the searches are saved for 90 days, the Microsoft spokeswoman said. In addition, accesses and changes to health records are logged and viewable to the user.

Finally, Microsoft said the company isolated traffic onto a virtually separate network and located its servers in physically separate, locked cages.

"All data that moves among our systems are encrypted, including all traffic to and from HealthVault, its users and its partners," Microsoft said in a statement. "Access to HealthVault data by Microsoft employees is tightly controlled and extremely limited to a small group of personnel necessary to perform essential operations. All of our back up data is encrypted, and every stage of its transportation is logged. We also log every time records are created, changed, or read, leaving a clear audit trail."

However, the site's partners and their programs appear to only be answerable to Microsoft, who will serve as arbiter in any disputes. "In order to make a Program available through the Service, the Program provider must commit to protecting the privacy of your health data," the privacy policy states. "Microsoft can revoke a Program provider's access to the Service if a Program does not meet its privacy commitments to Microsoft. We encourage you to contact us if you believe a Program is not protecting the privacy or security of your health data.

Records can be instantly discarded, but Microsoft will hold them in a private cache for 90 days as a foil against malicious deletion, the site's privacy policy says.

Much of the site's expected health-related information was absent before the official launch, although users could log in and conceivably begin uploading data. Microsoft has made available special drivers so that users of certain blood pressure monitors can upload the information directly to the site. How that information will be maintained  as discrete pieces of information or data that can be crosslinked to ongoing exercise, weight, and blood pressure logs, for example  was not specified.

However, the site's partners are expected to shoulder some of the burden, the Microsoft spokeswoman said. For example, one partner application will provide doctors with a virtual fax number that will take the faxed document and automatically add it to the HealthVault account, she said.

Microsoft said approximately forty applications and devices are either available or planned for the HealthVault platform, with contributions from ActiveHealth Management, Allscripts, American Diabetes Association, American Heart Association and American Stroke Association, American Lung Association, Eclipsys Corporation, Home Diagnostics, Johnson & Johnson's LifeScan, Microlife USA, Nexcura, US Wellness, and WorldDoc, among others.